Windows : wmic : Polling Your System for Installed Applications
I have discovered a new method to find the installed applications on your system.
This method uses "wmic.exe" from the command line.
I don't know if there is a front-end GUI for wmic, but just use the command line.
It's better. Trust me. :^)
1) Launch cmd.exe (or just cmd) and ensure you have administrative privileges.
"Run as administrator"
----------------------------------------------------------------------------------------
A note: After running cmd, you may be presented with the prompt "c:\windows\system32".
Being that it is a system directory, I suggest changing the location.
Change your cli location to something more familiar, such as "c:\users\logged-in-name" or any other location that you have rights to change to.
----------------------------------------------------------------------------------------
2) At the command line, enter: wmic
You will be presented with a different prompt which will be: wmic:root\cli
----------------------------------------------------------------------------------------
3) Then type: /output:C:\InstallList.txt product get name,version
You can change the destination and file name of the output file if you desire.
It may take a while for the system to generate InstallList.txt so be patient.
4) View InstallList.txt with your favorite text editor
----------------------------------------------------------------------------------------
The output using the parameters listed will show the name and version of the applications installed.
Easy enough huh?
Yours truly,
Robert Cazares
Find me at robertcazares@gmail.com\
~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-~^-
The Secret Sauce
What is wmic?
The Windows Management Instrumentation Command-line (WMIC) is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI. WMIC is based on aliases.
More information -
Using the Windows Management Instrumentation Command-line (WMIC) tool
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wmic.mspx?mfr=true
WMIC - Take Command-line Control over WMI
https://msdn.microsoft.com/en-us/library/Bb742610.aspx
Created: August 23, 2015, 14:00
Updated: August 23, 2015, 17:00 <--or somewhere="" span="" thereabout="">
Sunday, August 23, 2015
Thursday, October 31, 2013
Image Error Level Analyser
Image Error Level Analyser
The internet is a big place. I get lost often, jumping from one link to another, which reveals yet another interesting web site/ web page. It takes a lot to stay focused, especially with the many major interests I have. I am glad for the diversity, but still, remaining on track with tasks at hand is of primary concern.
OK, enough of that. I'm back and intend to stay back, with a more public presence, sharing the occasion tool or application I find interesting.
This morning I stumbled on an image forensic analysis service, since closed, but nevertheless still of value to the forensic community.
Image Error Level Analyser -
Error level analysis shows differing error levels throughout images, which may suggest some form of digital manipulation has been applied to an image.
Source:
http://www.errorlevelanalysis.com/
Further information:
Dr. Neal Krawetz
http://www.hackerfactor.com/
The internet is a big place. I get lost often, jumping from one link to another, which reveals yet another interesting web site/ web page. It takes a lot to stay focused, especially with the many major interests I have. I am glad for the diversity, but still, remaining on track with tasks at hand is of primary concern.
OK, enough of that. I'm back and intend to stay back, with a more public presence, sharing the occasion tool or application I find interesting.
This morning I stumbled on an image forensic analysis service, since closed, but nevertheless still of value to the forensic community.
Image Error Level Analyser -
Error level analysis shows differing error levels throughout images, which may suggest some form of digital manipulation has been applied to an image.
Source:
http://www.errorlevelanalysis.com/
Further information:
Dr. Neal Krawetz
http://www.hackerfactor.com/
Sunday, October 14, 2012
Event Log Explorer version 4
Keeping up with software packages can be a daunting experience. Updates, new versions, buggy software and the like can take up a lot of time, especially if you use many different types of software.
This post is specific to Event Log Explorer version 4. I am running Windows 7 as my main development box, and it's been fairly stable, up to the last few days. I recently rebuilt my system using a new 1GB hard drive, so it's a fairly 'new' system. The system has several USB devices connected, and I've found with all these devices, mostly USB hard drives, the system doesn't want to boot at all when I have them connected to the USB bus. My way around this problem, is to connect all my external USB drives to a 16 port USB hub. When it's time to cold or warm reboot, I disconnect all my USB devices by removing one cable connected to the system. This solution works great, provided I remember to unplug the cable.
Generally, I do not shut my system down, but keep it running constantly. The Windows Power Options keeps everything under control (as far as I l know) by shutting down hard drives after a time I have specified in the Power Options Control Panel Applet. This last week, I am finding the system is locking-up at random times. I'll go away for a few hours, come back, and it's stuck. C-A-D, Crtl-Shift-Esc, nothing, no response from the system at all. The only way to recover, which is not the ideal power-down solution, is to yank the power cable from the back of the computer. I let it sit, off, for about 120 seconds, then power back up. Unfortunately, there isn't any way to get control back of the system. Every time I do this, pull-the-plug act, it's "ouch! ouch! ouch!, and I hate doing that!" This solution is OK for the occasional rare system lockup, but not every day. My fear is, of course, data loss from a shutdown that's nowhere near clean. System lock-up has happened at least five times this past week and I need to find the cause of the problem.
So, I fire-up eventvwr.exe for a look at startup times (clean start-up times, of course, will not show as an entry), anomalies, anything that will give a clue about why this system is misbehaving. The new log file format used by Vista, Windows 7 and Windows Server 2008 is significantly different from previous Microsoft Windows log file formats and includes more detailed log info than previous Windows versions. The down-side to the new format is that there is an enormous amount lot of data to parse through.
Getting back to the point of this posting, which is, the use of a third-party non-Microsoft application for parsing through event logs. Event Log Viewer gets a thumbs-up from me as it offers a clean and easy to use UI to wade through the mountains of data the event log generates.
------------------------------------------------------------------
For more information related to the Windows Log File Format, go to forensicwiki.org. They have a good overview and provide a starting point for additional information.
http://www.forensicswiki.org/wiki/Windows_Event_Log_%28EVT%29
------------------------------------------------------------------
Disclaimer: They, meaning FSPro Labs, do not pay me to write-up their software. I do not work there, nor do I receive any revenue from making mention of them. It is my opinion that FSPro Labs deliver a great product and tool for viewing all versions of Windows Log files.
As usual, and the 'other' standard disclaimer applies, YMMV.
Robert Cazares
Sunday, October 14, 2012
------------------------------------------------------------------
I am a Digital Forensic and Information Security Analyst. I have been working in the IT industry since 1992 and hold a degree in Digital Forensics and Information Security. I also have earned many industry respected certificates.
"Information Security is never an accident."
Find me here and directly at: robertcazares@gmail.com
------------------------------------------------------------------
This post is specific to Event Log Explorer version 4. I am running Windows 7 as my main development box, and it's been fairly stable, up to the last few days. I recently rebuilt my system using a new 1GB hard drive, so it's a fairly 'new' system. The system has several USB devices connected, and I've found with all these devices, mostly USB hard drives, the system doesn't want to boot at all when I have them connected to the USB bus. My way around this problem, is to connect all my external USB drives to a 16 port USB hub. When it's time to cold or warm reboot, I disconnect all my USB devices by removing one cable connected to the system. This solution works great, provided I remember to unplug the cable.
Generally, I do not shut my system down, but keep it running constantly. The Windows Power Options keeps everything under control (as far as I l know) by shutting down hard drives after a time I have specified in the Power Options Control Panel Applet. This last week, I am finding the system is locking-up at random times. I'll go away for a few hours, come back, and it's stuck. C-A-D, Crtl-Shift-Esc, nothing, no response from the system at all. The only way to recover, which is not the ideal power-down solution, is to yank the power cable from the back of the computer. I let it sit, off, for about 120 seconds, then power back up. Unfortunately, there isn't any way to get control back of the system. Every time I do this, pull-the-plug act, it's "ouch! ouch! ouch!, and I hate doing that!" This solution is OK for the occasional rare system lockup, but not every day. My fear is, of course, data loss from a shutdown that's nowhere near clean. System lock-up has happened at least five times this past week and I need to find the cause of the problem.
So, I fire-up eventvwr.exe for a look at startup times (clean start-up times, of course, will not show as an entry), anomalies, anything that will give a clue about why this system is misbehaving. The new log file format used by Vista, Windows 7 and Windows Server 2008 is significantly different from previous Microsoft Windows log file formats and includes more detailed log info than previous Windows versions. The down-side to the new format is that there is an enormous amount lot of data to parse through.
Getting back to the point of this posting, which is, the use of a third-party non-Microsoft application for parsing through event logs. Event Log Viewer gets a thumbs-up from me as it offers a clean and easy to use UI to wade through the mountains of data the event log generates.
------------------------------------------------------------------
For more information related to the Windows Log File Format, go to forensicwiki.org. They have a good overview and provide a starting point for additional information.
http://www.forensicswiki.org/wiki/Windows_Event_Log_%28EVT%29
------------------------------------------------------------------
Disclaimer: They, meaning FSPro Labs, do not pay me to write-up their software. I do not work there, nor do I receive any revenue from making mention of them. It is my opinion that FSPro Labs deliver a great product and tool for viewing all versions of Windows Log files.
As usual, and the 'other' standard disclaimer applies, YMMV.
Robert Cazares
Sunday, October 14, 2012
------------------------------------------------------------------
I am a Digital Forensic and Information Security Analyst. I have been working in the IT industry since 1992 and hold a degree in Digital Forensics and Information Security. I also have earned many industry respected certificates.
"Information Security is never an accident."
Find me here and directly at: robertcazares@gmail.com
------------------------------------------------------------------
Monday, September 24, 2012
Mozilla FireFox Browser History Forensics - Using Digital Detective, NetAnalysis
Mozilla FireFox Browser History Forensics - Using Digital Detective, NetAnalysis
Looking for Mozilla FireFox browser history files?
Looking for Mozilla FireFox browser history files?
Tested on my own system with the following system info:
- Windows 7 64-Bit
- FireFox 14.01
In this directory;
%APPDATA%\Mozilla\Firefox\Profiles\
You will find the following directory:
6t7byt3w.default (the pre-dot characters will differ from user to user)
This directory is seventeen characters in length.
Each user's seventeen character directory name will differ, but the extension, and as example, "12345678.default" will remain the same for all users. It is under this directory that your FireFox profile files will reside. This includes the directories under, as example, "12345678.default" - bookmarkbackups, extensions, minidumps, etc.
At this time, all we are concerned with is
pointing Digital Detective, NetAnalysis to this directory for the
purposes of loading in the FireFox browser history.
The important file in the FireFox browser for parsing and searching the users' Internet history is "places.sqlite".When "places.sqlite" is loaded into NetAnalysis, then you can begin your investigation.
This is just a starting point.
As I find more, more details will follow.
Sources & Tools (that I use):
http://www.digital-detective.co.uk/
http://kb.digital-detective.co.uk/display/NetAnalysis1/Home
Not required, but tools to have a good understanding of -
- Microsoft NotePad; .log functionality. If you don't know what I'm speaking of,
< search: notepad ".LOG" >
To implement in notepad.exe:
Type ".LOG" (without the quotes) and (in uppercase) in the first line of a notepad.exe file, followed by one of the following codes.
ENTER = ; RETURN, Apple: U+2324; DECIMAL - 13, HEX - 0D, control+M or ^M; C0 and C1 control codes;
\r; (U+21B5)
System knowledge:
- Microsoft Windows default file locations,
- Microsoft Internet Explorer INDEX.DAT
- Knowledge of all versions is a good thing.
- SQL Queries
---------------------------------------------------
- Microsoft Internet Explorer INDEX.DAT
- Knowledge of all versions is a good thing.
- SQL Queries
---------------------------------------------------
Corrections and edits added: October 5, 2012
---------------------------------------------------
---------------------------------------------------
Saturday, February 11, 2012
Hash Tab for Windows
You can customize which hashes are calculated and displayed. You can hash other files for comparison. You can also paste in hash text so you don't go cross-eyed trying to compare hashes. HashTab supports the following hash functions: Adler32, CRC32, MD2, MD4, MD5, RIPEMD(128,256,320), SHA-1,256,384,512, Tiger, and Whirlpool. Coming soon, MD6, eDonkey/eMule
http://implbits.com/HashTab/HashTabWindows.aspx
http://implbits.com/HashTab/HashTabWindows.aspx
Monday, March 1, 2010
Mapping USB devices via LNK files
http://windowsir.blogspot.com/2007/04/from-lab-mapping-usb-devices-via-lnk.html
Monday, April 09, 2007
From the Lab: Mapping USB devices via LNK files
My first "From the Lab" post will be to address something I see regularly in forums; how does one tie a specific USB-connected device to a Windows system using shortcut (LNK) files, given nothing more than an acquired image to work with? We know that we can extract information about USB devices that have been connected to a system using nothing more than the raw System Registry file...we can get the devices, any drive letters they were mapped to, as well as the date that they were last connected to the system. However, often times we'll have some shortcut files in an image that will point to specific files...images, documents, etc...that we may be interested in, and the drive letter will be F:\ or G:\, or something else that is not part of the system (either as physical or logical drive) that we acquired the image from. So the question is, how do we map the shortcut file to the specific device?
Monday, April 09, 2007
From the Lab: Mapping USB devices via LNK files
My first "From the Lab" post will be to address something I see regularly in forums; how does one tie a specific USB-connected device to a Windows system using shortcut (LNK) files, given nothing more than an acquired image to work with? We know that we can extract information about USB devices that have been connected to a system using nothing more than the raw System Registry file...we can get the devices, any drive letters they were mapped to, as well as the date that they were last connected to the system. However, often times we'll have some shortcut files in an image that will point to specific files...images, documents, etc...that we may be interested in, and the drive letter will be F:\ or G:\, or something else that is not part of the system (either as physical or logical drive) that we acquired the image from. So the question is, how do we map the shortcut file to the specific device?
Subscribe to:
Posts (Atom)